Maintaining the security of computer systems is an important and difficult problem. For a single computer system, system logs, firewalls, and other intrusion detection systems provide a certain level of security, but as computer systems become more complex, detecting attacks on the system can become more difficult. For example, a complex computer system may include storage services, computing services, and virtual networking services that are shared across multiple customers as well as services and servers dedicated to individual customers. Attacks can be directed at any number of these systems, and a successful attack may be leveraged to compromise other connected services and subsystems. Therefore, detecting such attacks early is an important step in mitigating and preventing severe system compromise.